You know those overnight successes who toiled in the background for 10 years before they finally broke through? How did they get there? How did they work through the Dip to reach the other side? I am fascinated by organizations which have success year after year. They seem to take the long view, set up the foundation, and stay committed to the plan. Even when other folks push for (and get) faster results, opting for short-term fixes. These band-aids may provide a short-term pop, but rarely result in longer-term results.

Sure that’s part of my rationalization for why the Falcons lost at the precipice of the Super Bowl. That they have built the organization the right way over the past 5 years, and will be back. You see those attributes in all the NFL organizations that seem to be competitive year after year. They work the plan. They build through the draft. They don’t react to a bad season or two. It’s unlikely Pittsburgh or the NY Giants will blow up their environment because they missed the playoffs this year. They have stability. And that stability leads to sustained success.

By the way, it’s not just my football obsession that cause me to fixate on this. As Rich said, we had a good 2012. But my paranoid self (I am a security guy, after all) continues to look for our Achilles heel. One good year – hell, even two good years – doesn’t mean the foundation for sustainable success is there. And as you see with all our new linky posts, even when things are going well, we need to adapt and change based on market realities. As Deming so famously said, “It is not necessary to change. Survival is not mandatory.”

So I spent a good deal of time over the holidays digging into our good year. Partly because I was curious, but mostly trying to determine whether our results are sustainable. The honest answer is that I don’t know. I know what we did from an activity standpoint and we are still doing that. But past success is no guarantee of future results. So I will keep looking for holes in the story. We all keep looking for holes. We’ll keep trying new things to see what works, and more importantly what doesn’t. But most of all, we will continue to grind. We may not achieve sustained success, but it won’t be due to lack of effort. That I can guarantee.


Photo credits: Sustainable Food Poster originally uploaded by Steven-L-Johnson

Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too.

Understanding Identity Management for Cloud Services

Newly Published Papers

Incite 4 U

  1. The Hunt for Red October: Not that you had any doubts as to the sophistication of today’s attackers, but Kaspersky’s description of the Red October attack drives it home loudly and clearly. This is a multi-faceted effort undertaken over the past 5 years using sophisticated malware and tactics to infiltrate lots of places where information can be stolen and monetized. AlienVault worked with the Kaspersky folks to isolate the indicators of compromise (IoC) shown by Red October, and this is an example of Early Warning, but not early enough. You can now use the IoC information to see if you have devices already compromised. We will also see lots of hand wringing about who was behind the attacks. The stolen data is sensitive nation-state stuff, but that doesn’t mean nation-states are actually behind the attacks. Kaspersky says it’s Russian crime syndicates, adding a lot of news value to the research, but RSA says there isn’t enough information to draw a conclusion one way or the other. And at the end of the day, I’m not sure identifying the actor really makes a difference. It’s not like you can send them a cease and desist letter. – MR
  2. PCI drops pants, doesn’t care: Oh, PCI Standards Council, there you go again. The same people who claim, “no PCI compliant organization has ever been breached” apparently can’t even decide what their own standards are. Approved Scanning Vendors (ASVs) are the companies authorized to perform scans on Internet-facing applications. If you run so much as the smallest doggie donut web store, and you take credit cards, you need to be scanned. There’s an annual review process for ASVs, which costs $10K a shot, and according to Brett Hardin not only does everyone fail the first time, but the same report submitted twice under different letterhead gets graded differently. In the words of the grader, “Well, security and PCI-DSS aren’t exact sciences.” Uh huh, then how about some free passes? – RM
  3. Eyes on the prize: Every large retail firm I have spoken with has a VP or Director of Data Analytics. Macy’s foray into big data in the cloud is one example, and Target’s recent ‘success’ has been highlighted as well. Many other verticals have similar positions within marketing or IT. These people are popping up everywhere as data analysis becomes a core function of business. Make no mistake – big data is a huge trend and it is changing the way companies market and sell products. And assess risk. And evaluate investments. But every firm also has Identity and Access management, both for customers and employees. Ever hear about a VP of access and identity? Director? Me either. Every employee uses IAM every day, and it gates access to every electronic service. Think about that the next time you wonder where security ranks on the scale of business importance. – AL
  4. It costs what? Next! A great analysis by Ken Malmquist in Vulnerability Remediation: A Case Study, which captures the typical process organizations go through when trying to address SQL injection issues in application code. The natural defense? Stored procedures. The reality? Rewriting and retesting 50,000 queries closely tied into application code and moving them into the database. Yeah, that’s not going to happen. And that’s when we start looking at input filtering at the WAF layer, database monitoring, whitelisting, etc. Cost effective and a quick way to reduce risk by 95%; risk reduction strategies are the only palatable approaches companies will approve – and that’s okay. – AL
  5. Cyberinsurance might not be a total scam soon: I have always dogged on cyberinsurance. Without any actuarial or risk tables, how the heck can they even price it? It seemed that all it bought you was a seat at an arbitration table, and without inspections or standards it seems awfully easy to find the breached company negligent and reduce the payout. I spit a little water out my nose when I heard of a company buying cyberinsurance after a pen test instead of fixing the problems. But according to our friends over at the New School, the underwriters are starting to pull together some good statistics and getting a better handle on the chaotic situation. As Adam wrote, it sure would be nice if they published some of their information to help the rest of us make risk decisions. Even if it’s only to their clients, because that would totally leak anyway. – RM
  6. Revisiting the weakest link: Shimmy makes a good point, reiterating something I keep from big companies: the weakest link still sits behind the keyboard. These large enterprise security folks acknowledge they can’t stop the attackers and that their employees are more often than not the initial attack vector. The only way to patch that hole is through security education – protecting users from themselves with draconian device lockdown technology hasn’t worked well culturally. So I expect to see a lot more effort put behind security awareness training. I’m painfully aware that you can’t fix stupid. Certainly not in a classroom or via a CBT program, but just accepting your sad lot in life, and spending all day with your pooper scooper cleaning up the mess doesn’t seem like a great option either. The first line of defense needs to be a security-aware culture, and as you turn your nose up at that thought (you elitist security snob) one of your employees just clicked on a link and got their machine pwned. Again. – MR